3.0-stable patches

added patches:
	btree-fix-tree-corruption-in-btree_get_prev.patch
	char-agp-add-another-ironlake-host-bridge.patch
	powerpc-fix-kernel-panic-during-kernel-module-load.patch

diff --git a/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch b/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch
new file mode 100644 (file)
index 0000000..5c3c5e3
--- /dev/null
+++ b/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch
@@ -0,0 +1,54 @@
+From cbf8ae32f66a9ceb8907ad9e16663c2a29e48990 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Thu, 7 Jun 2012 14:21:13 -0700
+Subject: btree: fix tree corruption in btree_get_prev()
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit cbf8ae32f66a9ceb8907ad9e16663c2a29e48990 upstream.
+
+The memory the parameter __key points to is used as an iterator in
+btree_get_prev(), so if we save off a bkey() pointer in retry_key and
+then assign that to __key, we'll end up corrupting the btree internals
+when we do eg
+
+       longcpy(__key, bkey(geo, node, i), geo->keylen);
+
+to return the key value.  What we should do instead is use longcpy() to
+copy the key value that retry_key points to __key.
+
+This can cause a btree to get corrupted by seemingly read-only
+operations such as btree_for_each_safe.
+
+[akpm@linux-foundation.org: avoid the double longcpy()]
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Acked-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/btree.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/btree.c
++++ b/lib/btree.c
+@@ -319,8 +319,8 @@ void *btree_get_prev(struct btree_head *
+ 
+       if (head->height == 0)
+               return NULL;
+-retry:
+       longcpy(key, __key, geo->keylen);
++retry:
+       dec_key(geo, key);
+ 
+       node = head->node;
+@@ -351,7 +351,7 @@ retry:
+       }
+ miss:
+       if (retry_key) {
+-              __key = retry_key;
++              longcpy(key, retry_key, geo->keylen);
+               retry_key = NULL;
+               goto retry;
+       }

diff --git a/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch b/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch
new file mode 100644 (file)
index 0000000..0165792
--- /dev/null
+++ b/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch
@@ -0,0 +1,42 @@
+From 67384fe3fd450536342330f684ea1f7dcaef8130 Mon Sep 17 00:00:00 2001
+From: Eugeni Dodonov <eugeni.dodonov@intel.com>
+Date: Wed, 6 Jun 2012 11:59:06 -0300
+Subject: char/agp: add another Ironlake host bridge
+
+From: Eugeni Dodonov <eugeni.dodonov@intel.com>
+
+commit 67384fe3fd450536342330f684ea1f7dcaef8130 upstream.
+
+This seems to come on Gigabyte H55M-S2V and was discovered through the
+https://bugs.freedesktop.org/show_bug.cgi?id=50381 debugging.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50381
+Signed-off-by: Eugeni Dodonov <eugeni.dodonov@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/agp/intel-agp.c |    1 +
+ drivers/char/agp/intel-agp.h |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/char/agp/intel-agp.c
++++ b/drivers/char/agp/intel-agp.c
+@@ -897,6 +897,7 @@ static struct pci_device_id agp_intel_pc
+       ID(PCI_DEVICE_ID_INTEL_B43_HB),
+       ID(PCI_DEVICE_ID_INTEL_B43_1_HB),
+       ID(PCI_DEVICE_ID_INTEL_IRONLAKE_D_HB),
++      ID(PCI_DEVICE_ID_INTEL_IRONLAKE_D2_HB),
+       ID(PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB),
+       ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB),
+       ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
+--- a/drivers/char/agp/intel-agp.h
++++ b/drivers/char/agp/intel-agp.h
+@@ -211,6 +211,7 @@
+ #define PCI_DEVICE_ID_INTEL_G41_HB          0x2E30
+ #define PCI_DEVICE_ID_INTEL_G41_IG          0x2E32
+ #define PCI_DEVICE_ID_INTEL_IRONLAKE_D_HB         0x0040
++#define PCI_DEVICE_ID_INTEL_IRONLAKE_D2_HB        0x0069
+ #define PCI_DEVICE_ID_INTEL_IRONLAKE_D_IG         0x0042
+ #define PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB         0x0044
+ #define PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB        0x0062

diff --git a/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch b/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch
new file mode 100644 (file)
index 0000000..c8a8f73
--- /dev/null
+++ b/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch
@@ -0,0 +1,68 @@
+From 3c75296562f43e6fbc6cddd3de948a7b3e4e9bcf Mon Sep 17 00:00:00 2001
+From: Steffen Rumler <steffen.rumler.ext@nsn.com>
+Date: Wed, 6 Jun 2012 16:37:17 +0200
+Subject: powerpc: Fix kernel panic during kernel module load
+
+From: Steffen Rumler <steffen.rumler.ext@nsn.com>
+
+commit 3c75296562f43e6fbc6cddd3de948a7b3e4e9bcf upstream.
+
+This fixes a problem which can causes kernel oopses while loading
+a kernel module.
+
+According to the PowerPC EABI specification, GPR r11 is assigned
+the dedicated function to point to the previous stack frame.
+In the powerpc-specific kernel module loader, do_plt_call()
+(in arch/powerpc/kernel/module_32.c), GPR r11 is also used
+to generate trampoline code.
+
+This combination crashes the kernel, in the case where the compiler
+chooses to use a helper function for saving GPRs on entry, and the
+module loader has placed the .init.text section far away from the
+.text section, meaning that it has to generate a trampoline for
+functions in the .init.text section to call the GPR save helper.
+Because the trampoline trashes r11, references to the stack frame
+using r11 can cause an oops.
+
+The fix just uses GPR r12 instead of GPR r11 for generating the
+trampoline code.  According to the statements from Freescale, this is
+safe from an EABI perspective.
+
+I've tested the fix for kernel 2.6.33 on MPC8541.
+
+Signed-off-by: Steffen Rumler <steffen.rumler.ext@nsn.com>
+[paulus@samba.org: reworded the description]
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/module_32.c |   11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/kernel/module_32.c
++++ b/arch/powerpc/kernel/module_32.c
+@@ -187,8 +187,8 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+ 
+ static inline int entry_matches(struct ppc_plt_entry *entry, Elf32_Addr val)
+ {
+-      if (entry->jump[0] == 0x3d600000 + ((val + 0x8000) >> 16)
+-          && entry->jump[1] == 0x396b0000 + (val & 0xffff))
++      if (entry->jump[0] == 0x3d800000 + ((val + 0x8000) >> 16)
++          && entry->jump[1] == 0x398c0000 + (val & 0xffff))
+               return 1;
+       return 0;
+ }
+@@ -215,10 +215,9 @@ static uint32_t do_plt_call(void *locati
+               entry++;
+       }
+ 
+-      /* Stolen from Paul Mackerras as well... */
+-      entry->jump[0] = 0x3d600000+((val+0x8000)>>16); /* lis r11,sym@ha */
+-      entry->jump[1] = 0x396b0000 + (val&0xffff);     /* addi r11,r11,sym@l*/
+-      entry->jump[2] = 0x7d6903a6;                    /* mtctr r11 */
++      entry->jump[0] = 0x3d800000+((val+0x8000)>>16); /* lis r12,sym@ha */
++      entry->jump[1] = 0x398c0000 + (val&0xffff);     /* addi r12,r12,sym@l*/
++      entry->jump[2] = 0x7d8903a6;                    /* mtctr r12 */
+       entry->jump[3] = 0x4e800420;                    /* bctr */
+ 
+       DEBUGP("Initialized plt for 0x%x at %p\n", val, entry);

diff --git a/queue-3.0/series b/queue-3.0/series
new file mode 100644 (file)
index 0000000..6319d02
--- /dev/null
+++ b/queue-3.0/series
@@ -0,0 +1,3 @@
+char-agp-add-another-ironlake-host-bridge.patch
+btree-fix-tree-corruption-in-btree_get_prev.patch
+powerpc-fix-kernel-panic-during-kernel-module-load.patch